Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 7 Feb 2005 19:01:12 -0600
From:      Jay <jay@meangrape.com>
To:        freebsd-pf@freebsd.org
Subject:   rule ordering
Message-ID:  <20050208010112.GC17904@mail.meangrape.com>
next in thread | raw e-mail | index | archive | help 

--Y5rl02BVI9TCfPar
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm putting in a NAT rule for the first time.  My pf.conf is just edited
=66rom the original.

When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the
following error message:

	/etc/pf.conf:62: Rules must be in order: options, normalization,
queueing, translation, filtering

A perfectly understandable error message -- queuing should be before
translation.  As in the following snippet from my pf.conf:

	# Queueing: rule-based bandwidth control.
	altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def }
	queue q_pri priority 7
	queue q_def priority 1 priq(default)

	pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \
		keep state queue (q_def, q_pri)
	pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \
	        keep state queue (q_def, q_pri)

	# Translation: specify how addresses are to be mapped or redirected.
	nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161

Yup.  Looks like queueing before translation.  But that's the snippet
that throws the error.  If I comment out all of the ALTQ rules, pfctl -n
-f /etc/pf.conf works fine.  Also the same if I comment out the NAT
rule. =20

My full pf.conf is available at
http://www.meangrape.com/Members/jayed/configurations/pf.conf/

(Yeah, I know, I know -- things probably look ugly -- no, I don't know
why that comment or rule is in there any more -- I'm constantly playing
around with it -- I'm not obfuscating the IPs because that's a stupid
idea...if my firewall works, it works; hiding the IPs isn't going to
make a difference.  However, if anyone feels the urge to provide
constructive criticism, I'm all ears).


--=20
Jay.

--Y5rl02BVI9TCfPar
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCCA9YtcZrSsNkJBoRAoWTAJ9+njucaHAXUWGyP0PEXDRj+7KK3ACfXnyq
caW0KuqmgXlsTX2u0JjYeyk=
=If6C
-----END PGP SIGNATURE-----

--Y5rl02BVI9TCfPar--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050208010112.GC17904>